Smooth Operator

2023-06-29 UKNCSC

https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/smooth-operator/NCSC_MAR-Smooth-Operator.pdf

Attachments

NCSC_MAR-Smooth-Operator.pdf (502 KB)

Thumbnail for Smooth Operator

NCSC's malware analysis describes Smooth Operator as macOS malware distributed through the 3CX supply-chain compromise in signed and notarized 3CX Desktop App packages. A malicious libffmpeg.dylib component downloaded and ran a second-stage payload on Intel x86_64 macOS systems, while the report says the ARM slice showed no added malicious code. Smooth Operator generated a UUID-format victim ID, used files under the 3CX application-support directory for state and locking, slept before beaconing, randomly selected from multiple C2 servers, and used HTTPS plus a custom encoding algorithm to obfuscate exfiltrated victim data. The excerpt supports technical detection context through listed hashes for the trojanized DMG, first-stage component, and second-stage payload, but it does not itself attribute the activity to a DPRK actor.

Indicators of Compromise

Type Value First Seen Last Seen
HASH 6c121f2b2efa6592c2c22b29218157e… 2023-06-29 2024-12-27
HASH a64fa9f1c76457ecc58402142a8728c… 2023-03-30 2024-12-27
HASH e6bbc33815b9f20b0cf832d7401dd89… 2023-03-29 2024-12-27
DOMAIN visualstudiofactory.com 2023-03-29 2024-09-09
DOMAIN akamaitechcloudservices.com 2023-03-29 2024-09-09
DOMAIN msedgepackageinfo.com 2023-03-29 2024-09-09
DOMAIN msstorageazure.com 2023-03-29 2024-09-09
DOMAIN azureonlinestorage.com 2023-03-29 2024-09-09
DOMAIN zacharryblogs.com 2023-03-29 2024-09-09
DOMAIN officestoragebox.com 2023-03-29 2024-09-09
DOMAIN pbxphonenetwork.com 2023-03-29 2024-09-09
DOMAIN sourceslabs.com 2023-03-29 2024-09-09
DOMAIN officeaddons.com 2023-03-29 2024-09-09
DOMAIN glcloudservice.com 2023-03-29 2024-09-09
DOMAIN pbxcloudeservices.com 2023-03-29 2024-09-09
DOMAIN azuredeploystore.com 2023-03-29 2024-09-09
DOMAIN pbxsources.com 2023-03-29 2024-09-09
DOMAIN msstorageboxes.com 2023-03-29 2024-09-09
URL https://sbmsa.wiki/blog/_insert 2023-04-01 2024-01-01
DOMAIN sbmsa.wiki 2023-04-01 2024-01-01
URL https://akamaitechcloudservices… 2023-06-29 2023-10-05
YARA Smooth_Operator_II 2023-06-29 2023-06-29
YARA Smooth_Operator_Sleeps 2023-06-29 2023-06-29
YARA Smooth_Operator_C2_codes 2023-06-29 2023-06-29
YARA Smooth_Operator_Strings 2023-06-29 2023-06-29
YARA Smooth_Operator_Obfuscation_2 2023-06-29 2023-06-29
YARA Smooth_Operator_Obfuscation 2023-06-29 2023-06-29
HASH 5faf36ca90f6406a78124f538a03387a 2023-06-29 2023-06-29
HASH 88470888470d884712884717c6472400 2023-06-29 2023-06-29
URL https://pbxcloudeservices.com/n… 2023-06-29 2023-06-29
URL https://officeaddons.com/quality 2023-06-29 2023-06-29
URL https://msstorageboxes.com/xbox 2023-06-29 2023-06-29
URL https://officestoragebox.com/ap… 2023-06-29 2023-06-29
URL https://azuredeploystore.com/cl… 2023-06-29 2023-06-29
URL https://azureonlinestorage.com/… 2023-06-29 2023-06-29
URL https://msedgepackageinfo.com/m… 2023-06-29 2023-06-29
URL https://pbxphonenetwork.com/pho… 2023-06-29 2023-06-29
URL https://glcloudservice.com/v1/s… 2023-06-29 2023-06-29
URL https://msstorageazure.com/anal… 2023-06-29 2023-06-29
URL https://visualstudiofactory.com… 2023-06-29 2023-06-29
URL https://sourceslabs.com/status 2023-06-29 2023-06-29
URL https://zacharryblogs.com/xmlqu… 2023-06-29 2023-06-29
HASH 9e9a5f8d86356796162cee881c843cd… 2023-04-01 2023-06-29
HASH d5101c3b86d973a848ab7ed79cd11e5a 2023-03-30 2023-06-29
HASH 660ea9b8205fbd2da59fefd26ae5115c 2023-03-30 2023-06-29
HASH 769383fc65d1386dd141c960c997011… 2023-03-29 2023-06-29
HASH 3dc840d32ce86cebf657b17cef62814… 2023-03-29 2023-06-29
URL https://pbxsources.com/queue 2023-03-29 2023-06-29

Related Reports

« Back